Open alberpilot opened 2 years ago
Before applying this changes, it is necessary to check if the Wazuh central components are running correctly. As a Proof of Concept test, I deployed an AIO installation with the Installation assistant.
As a conclusion, no related errors were generated and everything is working fine. It is needed to ensure that this change does not break anything. We should discuss this with the rest of the teams about this change, and if so, perform a deeper testing.
wazuh-packages branch with the changes: https://github.com/wazuh/wazuh-packages/tree/feature/1922-consider-to-increase-the-wazuh-cert-toolsh-rsa-2048-and-sha-256-to-4096-and-512
We have to also change this command:
openssl req -new -nodes -newkey rsa:2048 -keyout ${cert_tmp_path}/${server_name}-key.pem -out ${cert_tmp_path}/${server_name}.csr -config ${cert_tmp_path}/${server_name}.conf
In order to assure the certificates are changed to RSA-4096
.
There are more commands similar to this one we have to change and test in order to include SHA-512
too.
I've been researching through the AIO installation I did with the new certificates looking for problems with the certificates. I've activated debug mode but did not find anything out of the ordinary. I'll keep investigating this with the help of my team.
Moved to 5.0.0 as part of the DevOps overhaul.
Link from the report update that is in the PR: https://github.com/wazuh/wazuh-packages/pull/3066#issuecomment-2271404895
The Wazuh certificates creation tool uses the cipher algorithms RSA 2048 and SHA 256. It's time to analyze if we can upgrade them to 4096 and 512 respectively.